What is claimed is: 

1 \ 1 . A method for communicating a session key from a first multicast proxy 

2 \ service node of a secure multicast group to a plurality of other multicast proxy 

3 \ service nodes of the multicast group in a communication network, wherein 

4 ehch of the multicast proxy service nodes is capable of establishing multicast 

5 communication and serving as a key distribution center, the method 

6 comprising the steps of: 

7 creating anchoring a group session key associated with the multicast group in 

8 a directcw; 

9 authenticating the m^t multicast proxy service node with a subset of the 

10 multicast proxy service nodes that are affected by an addition of the 

1 1 first multicast proxy^ervice node to the multicast group, based on the 

12 group session key storeckm the directory; 

1 3 receiving a plurality of private keys^from the subset of nodes; 

14 receiving a new group session key for the multicast group, for use after 

15 addition of the first multicast proxy^ervice node, from a local 

16 multicast proxy service node that has received the group session key 

1 7 through periodic replication of the directory ; 

1 8 communicating the new group session key private key\to the first multicast 

19 proxy service node; 

20 communicating a message to the subset of nodes that causes the^ subset of 

21 nodes to update their private keys. \ 
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1 X A method as recited in Claim 1 , wherein authenticating the plurality of 

2 \ multicast proxy service nodes includes authenticating the plurality of multicast 

3 \ proxy service nodes based on a directory that comprises a directory system 

4 \gent (DSA) that communicates with one or more of the multicast proxy 

5 service nodes and a replication service agent (RSA) that replicates attribute 

6 information of the one or more multicast proxy service nodes. 

1 3. A method a^recited in Claim 1, wherein receiving a new group session key 

2 includes receiving the new group session key from a node of a directory that 

3 comprises a direcWy system agent (DSA) for communicating with one or 

4 more of the multicasroroxy service nodes and a replication service agent 

5 (RSA) for replicating ke^information of the one or more multicast proxy 

6 service nodes. \ 

14. A method as recited in Claim 3, fiMier comprising the step of signaling the 

2 replication service agent to carry out replication by storing an updated group 

3 session key in a local node of the directory. 

1 5. A method as recited in Claim 1, further comprising distributing a group 

2 session key to all nodes by creating and storing the\group session key using a 

3 first multicast proxy service node of one domain of tke directory; replicating 

4 the directory; and obtaining the group session key fronra local multicast 

5 proxy service node that is a replica of the first multicast pr^xy service node. 
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1 6. \ A method as recited in Claim 1, further comprising distributing a group 

2 \ session key to all nodes by creating and storing the group session key using a 

3 first multicast proxy service node of one domain of the directory; replicating 

4 thesdirectory; and obtaining the group session key from a local multicast 

5 proxysservice node that is a replica of the first multicast proxy service node. 

1 7. A communication system for managing addition of a first multicast proxy 

2 service node tbi a secure multicast group that includes a plurality of other 

3 multicast proxy service nodes in a communication network, wherein each of 

4 the multicast proxy service nodes is capable of establishing multicast 

5 communication and serving as a key distribution center, the communication 

6 system comprising: \ 

7 a group controller that creates and manages secure multicast communication 

8 among the other multicasrsproxy service nodes, having a private key; 

9 a computer-readable medium comprising one or more instructions which, 

10 when executed by one or more processors, cause the one or more 

1 1 processors to carry out the steps o^\^ 

12 creating and storing a group session key associated with the multicast group in 

13 a directory; \ 

14 authenticating the first multicast proxy service nod^with a subset of the 

15 multicast proxy service nodes that are affectedby an addition of the 

16 multicast proxy service node to the multicast group, based on the 

17 group session key stored in the directory; \ 

18 receiving a plurality of private keys from the subset of nodes*; 
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19 \ receiving a new group session key for the multicast group, for use after 

20 \ addition of the first multicast proxy service node, from a local 

21 \ multicast proxy service node that has received the group session key 

22 \ through periodic replication of the directory; 

23 communicating the new group session key private key to the first multicast 

24 \ proxy event service node; 

25 communicating a message to the subset of nodes that causes the subset of 

26 nodes to update their private keys. 

1 8. A method for creating a secure multicast or broadcast group among a plurality 

2 of multicast proxy evfent service nodes, the method comprising the steps of: 

3 authenticating the plurality of multicast proxy service nodes via a directory 

4 that includes a directory system agent (DSA) for communicating with 

5 one or more of the mukicast proxy service nodes and for replicating 

6 attribute information of tne one or more multicast proxy service nodes; 

7 generating private keys for each of tfye multicast proxy service nodes, the 

8 private keys providing unique identification within the tree structure; 

9 generating a first group session key for establishing the secure multicast or 

10 broadcast group among the multicastproxy service nodes; 

1 1 distributing the first group session key among the^multicast proxy service 

1 2 nodes by using periodic directory replicationNof the attribute 

13 information, wherein the attribute information comprises the first 

14 group session key, and the private keys; and \ 

15 forming a second secure multicast group among the plurality^of client nodes 

16 by one of the leaf nodes using a second group session key obtained 
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17\ from a local replica of the node that generated the first group session 

18 \ key. 

1 9. Vrhe method as recited in Claim 8, further comprising selectively updating the 

2 fust group session key and the private keys using the DSA, wherein the step 

3 of selectively updating comprises: 

4 detecting whether one of the nodes is leaving the secure multicast or broadcast 

5 groto; 

6 determining which of other nodes are affected by deletion of the leaving node; 

7 updating the privke keys of the affected intermediate nodes; 

8 generating a new gro^p session key; 

9 modifying the attribute information based upon the updated private keys and 

10 the new group sessio^nkey; and 

1 1 distributing the modified attribute^ using directory replication. 

1 10. The method as recited in Claim 8, further comprising selectively updating the 

2 first group session key and the private keys via the DSA, wherein the step of 

3 selectively updating comprises: \ 

4 receiving a request message from a new node\o join the secure multicast or 

5 broadcast group; 

6 determining which other nodes are affected by addition of the joining node; 

7 updating the private keys of the affected nodes; \^ 

8 generating a new group session key and a private key of the new node; 

9 modifying the attribute information based upon the updated private keys, the 

10 new group session key, and the private key of the new node; and 

1 1 distributing the modified attribute information using directory replication. 
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1 1 1 . x \ A communication system for creating a secure multicast or broadcast group, 

2 me communication system comprising: 

3 a plurality of multicast proxy service nodes, each of the multicast proxy 

4 \ service nodes having attribute information comprising a group 

5 identification value for uniquely identifying a particular one of the 

6 multicast proxy service nodes, wherein the plurality of multicast proxy 

7 servicevnodes form a logical arrangement of the multicast proxy 

8 service nodes according to a tree structure, the tree structure having a 

9 root node, intermediate nodes, and leaf nodes, one of the multicast 

10 proxy service node being designated as a primary multicast proxy 

1 1 service node, the primary multicast proxy service node being mapped 

12 to the root node, the other multicast proxy service nodes having private 

13 keys corresponding to th^group identification values and being 

14 mapped to the intermediate^des and the leaf nodes; 

15 a directory comprising a directory system agent (DSA) for communicating 

16 with one or more of the multicast^roxy service nodes to authenticate 

17 each of the multicast proxy service n^des and for replicating the 

18 attribute information of the one or more multicast proxy service nodes; 

19 and \ 

20 a plurality of client nodes coupled to one of the multicast proxy service nodes, 

21 the one multicast proxy service node creating a secure multicast or 

22 broadcast client group that is separate from the secur^multicast or 

23 broadcast group; \^ 

24 wherein one of the multicast proxy service nodes generates a first ^group 

25 session key for establishing the secure multicast or broadcast group 
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26 ^ among the plurality of multicast proxy service nodes and distributes 

27 \ the first group session key to other nodes in the group using directory 

28 \ replication. 

1 12. V computer system for establishing a secure multicast or broadcast group, the 

2 computer system comprising: 

3 a communication interface for communicating with a plurality of external 

4 computer systems and for interfacing a directory to authenticate the 

5 computer system and the plurality of external computer systems; 

6 a bus coupled toVtfie communication interface for transferring data; 

7 one or more processors coupled to the bus for selectively generating a group 

8 session key ancKprivate keys corresponding to the plurality of external 

9 computer systems)\and for logically operating with the plurality of 

10 external computer systems according to a tree structure, the tree 

1 1 structure having a root node, intermediate nodes, and leaf nodes, 

12 wherein the computer systerto is mapped to the root node, the plurality 

13 of external computer systems afee mapped to the intermediate nodes 

14 and the leaf nodes, the coirespon^g^private keys providing unique 

15 identification of respective plurality of^external computer systems 

16 within the tree structure, the group sessioh key being distributed using 

17 directory replication using a directory system^gent of the directory; 

18 and \ 

19 a memory coupled to the one or more processors via the bus, the memory 

20 includes one or more sequences of instructions which when executed 

21 by the one or more processors cause the one or more processors to 

22 perform the step of selectively updating the group session keyxand the 
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23 \ private keys in response to whether a new client joins or a one of the 

24 \ client nodes leaves the multicast or broadcast group. 

1 13. A computer-readable medium carrying one or more sequences of instructions 

2 for communicating a session key from a first multicast proxy service node of 

3 secure multicast group to a plurality of other multicast proxy service nodes of 

4 the multicast group in a communication network, wherein each of the 

5 multicast proxy service nodes is capable of establishing multicast 

6 communication and\serving as a key distribution center, wherein execution of 

7 the one or more sequences of instructions by one or more processors causes 

8 the one or more processors to perform the steps of: 

9 creating and storing a grou^session key associated with the multicast group in 

10 a directory; 

1 1 authenticating the first multicast pr^xy service node with a subset of the 

12 multicast proxy service nodesv^hat are affected by an addition of the 

13 first multicast proxy service node to the multicast group, based on the 

14 group session key stored in the directory; 

15 receiving a plurality of private keys from the subset of nodes; 

16 receiving a new group session key for the multicast group for use after 

17 addition of the first multicast proxy service^node from a local multicast 

1 8 proxy service node that has received the groupysession key through 

19 periodic replication of the directory; 

20 communicating the new group session key private key to the first multicast 

2 1 proxy service node; 

22 communicating a message to the subset of nodes that causes the subset of 

23 nodes to update their private keys. 
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